mod-security-users

greetings all, i am running a lot of issue in compiling mod_security on IBM
RHEL 5. will appreciate any help.
problem: make test fails.
env: RHEL 5 with IBM http server (not default apache), 32bit machine,
mod_security 2.5.9 source downloaded from mod_security site.
questions:
1. which OS user should mod_security be compiled as? the Apache owner or
root? or does it matter?
2. the --with-pcre option, should it point to pcre-config or some bin/lib
dir?
3. for all the apxs, pcre, apr. apu, which both devel and binary package are
installed, and some of which may have more than 1 binary package installed,
such as pcre, how do I make sure mod_security knows to point to the right
header in compiling and right lib in running? can I include the specif
binary path in LD_PATH env? if so, but for which OS user?
thanks in advance.
4. is there an earlier version which is easier to compile? I do not have to
use the latest one.
steps performed:
1. install the following devel packages;
# yum install libxml2-devel httpd-devel curl-devel pcre-devel
2. run configure with options:
./configure --with-apxs=/opt/IBMIHS/bin/apxs
--with-apr=/opt/IBMIHS/bin/apr-config --with-apu=/opt/IBMIHS/bin/apu-config
this step completes but I suspect the right lib for apu is not located. see
msg.
configure: checking httpd version
configure: httpd is recent enough
Use of uninitialized value in concatenation (.) or string at
/opt/IBMIHS/bin/apxs line 275.
checking for libpcre config script... /usr/bin/pcre-config
configure: using '-lpcre' for pcre Library
checking for libapr config script... /opt/IBMIHS/bin/apr-config
configure: using ' -lrt -lm -lcrypt -lnsl -ldl' for apr Library
checking for libapr-util config script... /opt/IBMIHS/bin/apu-config
configure: using ' -L/opt/IBMIHS/lib -laprutil-0' for apu Library
checking for libxml2 config script... /usr/bin/xml2-config
configure: using '-L/usr/lib -lxml2 -lz -lm' for libxml Library
checking for pkg-config script for lua library... no
configure: optional lua library not found
checking for libcurl config script... /usr/bin/curl-config
configure: using '-L/usr/kerberos/lib -lcurl -ldl -lgssapi_krb5 -lkrb5
-lk5crypto -lcom_err -lidn -lssl -lcrypto -lz ' for curl Library
configure: creating ./config.status
3. run make test to verify and see errors here;
gcc re.o re_operators.o re_actions.o re_tfns.o re_variables.o msc_logging.o
msc_xml.o msc_multipart.o modsecurity.o msc_parsers.o msc_util.o msc_pcre.o
persist_dbm.o msc_reqbody.o msc_geo.o acmp.o msc_lua.o msc_release.o -o
msc_test msc_test.o -lpcre -L/usr/lib -lxml2 -lz -lm -L/opt/IBMIHS/lib
/opt/IBMIHS/lib/libapr-0.so /opt/IBMIHS/lib/libaprutil-0.so -Wl,--rpath
-Wl,/opt/IBMIHS/lib -Wl,--rpath -Wl,/opt/IBMIHS/lib
gcc: re.o: No such file or directory
gcc: re_operators.o: No such file or directory
gcc: re_actions.o: No such file or directory
gcc: re_tfns.o: No such file or directory
gcc: re_variables.o: No such file or directory
gcc: msc_logging.o: No such file or directory
gcc: msc_xml.o: No such file or directory

Yi Li wrote:
> greetings all, i am running a lot of issue in compiling mod_security on
> IBM RHEL 5. will appreciate any help.
>
> problem: make test fails.
> env: RHEL 5 with IBM http server (not default apache), 32bit machine,
> mod_security 2.5.9 source downloaded from mod_security site.
>
> questions:
> 1. which OS user should mod_security be compiled as? the Apache owner or
> root? or does it matter?
Anything except root :) Only the install needs to run as root. I do this:
./configure && make && make test && sudo make install
> 2. the --with-pcre option, should it point to pcre-config or some
> bin/lib dir?
The directory where pcre-config is (or the parent if it is in a 'bin'
dir). For example: --with-pcre=/usr will take /usr/bin/pcre-config.
This is fixed for the next release so you can specify the full path to
the pcre-config.
> 3. for all the apxs, pcre, apr. apu, which both devel and binary package
> are installed, and some of which may have more than 1 binary package
> installed, such as pcre, how do I make sure mod_security knows to point
> to the right header in compiling and right lib in running? can I include
> the specif binary path in LD_PATH env? if so, but for which OS user?
> thanks in advance.
Never compile as root. I would set the envs in a script or on the
commandline.
Typically your OS will have some sort of preferences system
(alternatives) or there will be different versions of the configs. Do
you have different pcre-config versions?
> 4. is there an earlier version which is easier to compile? I do not have
> to use the latest one.
No, but there may be a later version soon.
>
>
>
> steps performed:
> 1. install the following devel packages;
>
> # yum install libxml2-devel httpd-devel curl-devel pcre-devel
>
> 2. run configure with options:
> ./configure --with-apxs=/opt/IBMIHS/bin/apxs
> --with-apr=/opt/IBMIHS/bin/apr-config --with-apu=/opt/IBMIHS/bin/apu-config
Most vendors will build Apache httpd linked to the libpcre installed on
the system. This makes things much easier and more flexible. However,
IBMs IHS has pcre linked in. So, you need to make sure you are building
with the same pcre (version and 32-bit vs 64-bit).
try this (assuming a bourne shell):
PATH=/opt/IBMIHS/bin:$PATH \
CPPFLAGS='-I/opt/IBMIHS/include' \
LD_LIBRARY_PATH=/opt/IBMIHS/lib:$LD_LIBRARY_PATH \
./configure \
--with-apxs=/opt/IBMIHS/bin/apxs \
--with-apr=/opt/IBMIHS/bin/apr-config \
--with-apu=/opt/IBMIHS/bin/apu-config
PATH/CPPFLAGS may not be needed, but I cannot tell since you did not
include any output from the make process. If you still have issues,
include the full output of each step.
> this step completes but I suspect the right lib for apu is not located.
> see msg.
>
> configure: checking httpd version
> configure: httpd is recent enough
> Use of uninitialized value in concatenation (.) or string at
> /opt/IBMIHS/bin/apxs line 275.
> checking for libpcre config script... /usr/bin/pcre-config
> configure: using '-lpcre' for pcre Library
> checking for libapr config script... /opt/IBMIHS/bin/apr-config
> configure: using ' -lrt -lm -lcrypt -lnsl -ldl' for apr Library
> checking for libapr-util config script... /opt/IBMIHS/bin/apu-config
> configure: using ' -L/opt/IBMIHS/lib -laprutil-0' for apu Library
> checking for libxml2 config script... /usr/bin/xml2-config
> configure: using '-L/usr/lib -lxml2 -lz -lm' for libxml Library
> checking for pkg-config script for lua library... no
> configure: optional lua library not found
> checking for libcurl config script... /usr/bin/curl-config
> configure: using '-L/usr/kerberos/lib -lcurl -ldl -lgssapi_krb5 -lkrb5
> -lk5crypto -lcom_err -lidn -lssl -lcrypto -lz ' for curl Library
> configure: creating ./config.status
>
> 3. run make test to verify and see errors here;
You forgot to run "make" first.
>
> gcc re.o re_operators.o re_actions.o re_tfns.o re_variables.o
> msc_logging.o msc_xml.o msc_multipart.o modsecurity.o msc_parsers.o
> msc_util.o msc_pcre.o persist_dbm.o msc_reqbody.o msc_geo.o acmp.o
> msc_lua.o msc_release.o -o msc_test msc_test.o -lpcre -L/usr/lib -lxml2
> -lz -lm -L/opt/IBMIHS/lib /opt/IBMIHS/lib/libapr-0.so
> /opt/IBMIHS/lib/libaprutil-0.so -Wl,--rpath -Wl,/opt/IBMIHS/lib
> -Wl,--rpath -Wl,/opt/IBMIHS/lib
> gcc: re.o: No such file or directory
> gcc: re_operators.o: No such file or directory
> gcc: re_actions.o: No such file or directory
> gcc: re_tfns.o: No such file or directory
> gcc: re_variables.o: No such file or directory
> gcc: msc_logging.o: No such file or directory
> gcc: msc_xml.o: No such file or directory
-B
--
Brian Rectanus
Breach Security

Brian, thanks for the reply. see my comments below in yellow.
On Wed, Jun 24, 2009 at 12:30 PM, Brian Rectanus
<Brian.Rectanus@...>wrote:
> Yi Li wrote:
>
>> greetings all, i am running a lot of issue in compiling mod_security on
>> IBM RHEL 5. will appreciate any help.
>>
>> problem: make test fails.
>> env: RHEL 5 with IBM http server (not default apache), 32bit machine,
>> mod_security 2.5.9 source downloaded from mod_security site.
>>
>> questions:
>> 1. which OS user should mod_security be compiled as? the Apache owner or
>> root? or does it matter?
>>
>
> Anything except root :) Only the install needs to run as root. I do this:
>
> ./configure && make && make test && sudo make install
>
> 2. the --with-pcre option, should it point to pcre-config or some
>> bin/lib dir?
>>
>
> The directory where pcre-config is (or the parent if it is in a 'bin' dir).
> For example: --with-pcre=/usr will take /usr/bin/pcre-config. This is fixed
> for the next release so you can specify the full path to the pcre-config.
>
> 3. for all the apxs, pcre, apr. apu, which both devel and binary package
>> are installed, and some of which may have more than 1 binary package
>> installed, such as pcre, how do I make sure mod_security knows to point
>> to the right header in compiling and right lib in running? can I include
>> the specif binary path in LD_PATH env? if so, but for which OS user?
>> thanks in advance.
>>
>
> Never compile as root. I would set the envs in a script or on the
> commandline.
>
> Typically your OS will have some sort of preferences system (alternatives)
> or there will be different versions of the configs. Do you have different
> pcre-config versions?
-- I am not sure about this. does it matter if I have two PCRE
installation on the host for compiling? I guess the --with-pcre will point
to one PCRE installation in compiling. do I need to do anything to make sure
mod_security knows where to look for the header files?
>
>
> 4. is there an earlier version which is easier to compile? I do not have
>> to use the latest one.
>>
>
> No, but there may be a later version soon.
>
>
>
>>
>>
>> steps performed:
>> 1. install the following devel packages;
>>
>> # yum install libxml2-devel httpd-devel curl-devel pcre-devel
>>
>> 2. run configure with options:
>> ./configure --with-apxs=/opt/IBMIHS/bin/apxs
>> --with-apr=/opt/IBMIHS/bin/apr-config
>> --with-apu=/opt/IBMIHS/bin/apu-config
>>
>
> Most vendors will build Apache httpd linked to the libpcre installed on the
> system. This makes things much easier and more flexible. However, IBMs IHS
> has pcre linked in. So, you need to make sure you are building with the
> same pcre (version and 32-bit vs 64-bit).
>
> try this (assuming a bourne shell):
>
> PATH=/opt/IBMIHS/bin:$PATH \
> CPPFLAGS='-I/opt/IBMIHS/include' \
> LD_LIBRARY_PATH=/opt/IBMIHS/lib:$LD_LIBRARY_PATH \
> ./configure \
> --with-apxs=/opt/IBMIHS/bin/apxs \
> --with-apr=/opt/IBMIHS/bin/apr-config \
> --with-apu=/opt/IBMIHS/bin/apu-config
>
> PATH/CPPFLAGS may not be needed, but I cannot tell since you did not
> include any output from the make process. If you still have issues, include
> the full output of each step.
>
> this step completes but I suspect the right lib for apu is not located.
>> see msg.
>>
>> configure: checking httpd version
>> configure: httpd is recent enough
>> Use of uninitialized value in concatenation (.) or string at
>> /opt/IBMIHS/bin/apxs line 275.
>> checking for libpcre config script... /usr/bin/pcre-config
>> configure: using '-lpcre' for pcre Library
>> checking for libapr config script... /opt/IBMIHS/bin/apr-config
>> configure: using ' -lrt -lm -lcrypt -lnsl -ldl' for apr Library
>> checking for libapr-util config script... /opt/IBMIHS/bin/apu-config
>> configure: using ' -L/opt/IBMIHS/lib -laprutil-0' for apu Library
>> checking for libxml2 config script... /usr/bin/xml2-config
>> configure: using '-L/usr/lib -lxml2 -lz -lm' for libxml Library
>> checking for pkg-config script for lua library... no
>> configure: optional lua library not found
>> checking for libcurl config script... /usr/bin/curl-config
>> configure: using '-L/usr/kerberos/lib -lcurl -ldl -lgssapi_krb5 -lkrb5
>> -lk5crypto -lcom_err -lidn -lssl -lcrypto -lz ' for curl Library
>> configure: creating ./config.status
>>
>> 3. run make test to verify and see errors here;
>>
>
>
> You forgot to run "make" first.
>
>
>
>> gcc re.o re_operators.o re_actions.o re_tfns.o re_variables.o
>> msc_logging.o msc_xml.o msc_multipart.o modsecurity.o msc_parsers.o
>> msc_util.o msc_pcre.o persist_dbm.o msc_reqbody.o msc_geo.o acmp.o
>> msc_lua.o msc_release.o -o msc_test msc_test.o -lpcre -L/usr/lib -lxml2
>> -lz -lm -L/opt/IBMIHS/lib /opt/IBMIHS/lib/libapr-0.so
>> /opt/IBMIHS/lib/libaprutil-0.so -Wl,--rpath -Wl,/opt/IBMIHS/lib
>> -Wl,--rpath -Wl,/opt/IBMIHS/lib
>> gcc: re.o: No such file or directory
>> gcc: re_operators.o: No such file or directory
>> gcc: re_actions.o: No such file or directory
>> gcc: re_tfns.o: No such file or directory
>> gcc: re_variables.o: No such file or directory
>> gcc: msc_logging.o: No such file or directory
>> gcc: msc_xml.o: No such file or directory
>>
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>

a few more questions, see highlighted, thanks in advance.
On Wed, Jun 24, 2009 at 3:48 PM, Yi Li <yi.li26@...> wrote:
> Brian, thanks for the reply. see my comments below in yellow.
>
> On Wed, Jun 24, 2009 at 12:30 PM, Brian Rectanus <
> Brian.Rectanus@...> wrote:
>
>> Yi Li wrote:
>>
>>> greetings all, i am running a lot of issue in compiling mod_security on
>>> IBM RHEL 5. will appreciate any help.
>>>
>>> problem: make test fails.
>>> env: RHEL 5 with IBM http server (not default apache), 32bit machine,
>>> mod_security 2.5.9 source downloaded from mod_security site.
>>>
>>> questions:
>>> 1. which OS user should mod_security be compiled as? the Apache owner or
>>> root? or does it matter?
>>>
>>
>> Anything except root :) Only the install needs to run as root. I do
>> this:
>>
>> ./configure && make && make test && sudo make install
>
>
if 'make test' fails, does it nessesarily mean the make fails or
I can ignore the error msg from 'make test'?
>
>>
>> 2. the --with-pcre option, should it point to pcre-config or some
>>> bin/lib dir?
>>>
>>
>> The directory where pcre-config is (or the parent if it is in a 'bin'
>> dir). For example: --with-pcre=/usr will take /usr/bin/pcre-config. This is
>> fixed for the next release so you can specify the full path to the
>> pcre-config.
>
>
does this apply with other parameters such as apxs, apr or apu?
or I need to specify the full path to these parameters?
>
>>
>>
>>> 3. for all the apxs, pcre, apr. apu, which both devel and binary package
>>> are installed, and some of which may have more than 1 binary package
>>> installed, such as pcre, how do I make sure mod_security knows to point
>>> to the right header in compiling and right lib in running? can I include
>>> the specif binary path in LD_PATH env? if so, but for which OS user?
>>> thanks in advance.
>>>
>>
>> Never compile as root. I would set the envs in a script or on the
>> commandline.
>>
>> Typically your OS will have some sort of preferences system (alternatives)
>> or there will be different versions of the configs. Do you have different
>> pcre-config versions?
>
>
> -- I am not sure about this. does it matter if I have two PCRE
> installation on the host for compiling? I guess the --with-pcre will point
> to one PCRE installation in compiling. do I need to do anything to make sure
> mod_security knows where to look for the header files?
>
>>
>>
>> 4. is there an earlier version which is easier to compile? I do not have
>>> to use the latest one.
>>>
>>
>> No, but there may be a later version soon.
>>
>>
>>
>>>
>>>
>>> steps performed:
>>> 1. install the following devel packages;
>>>
>>> # yum install libxml2-devel httpd-devel curl-devel pcre-devel
>>>
>>> 2. run configure with options:
>>> ./configure --with-apxs=/opt/IBMIHS/bin/apxs
>>> --with-apr=/opt/IBMIHS/bin/apr-config
>>> --with-apu=/opt/IBMIHS/bin/apu-config
>>>
>>
>> Most vendors will build Apache httpd linked to the libpcre installed on
>> the system. This makes things much easier and more flexible. However, IBMs
>> IHS has pcre linked in. So, you need to make sure you are building with the
>> same pcre (version and 32-bit vs 64-bit).
>>
>> try this (assuming a bourne shell):
>>
>> PATH=/opt/IBMIHS/bin:$PATH \
>> CPPFLAGS='-I/opt/IBMIHS/include' \
>> LD_LIBRARY_PATH=/opt/IBMIHS/lib:$LD_LIBRARY_PATH \
>> ./configure \
>> --with-apxs=/opt/IBMIHS/bin/apxs \
>> --with-apr=/opt/IBMIHS/bin/apr-config \
>> --with-apu=/opt/IBMIHS/bin/apu-config
>>
>> PATH/CPPFLAGS may not be needed, but I cannot tell since you did not
>> include any output from the make process. If you still have issues, include
>> the full output of each step.
>>
>> this step completes but I suspect the right lib for apu is not located.
>>> see msg.
>>>
>>> configure: checking httpd version
>>> configure: httpd is recent enough
>>> Use of uninitialized value in concatenation (.) or string at
>>> /opt/IBMIHS/bin/apxs line 275.
>>> checking for libpcre config script... /usr/bin/pcre-config
>>> configure: using '-lpcre' for pcre Library
>>> checking for libapr config script... /opt/IBMIHS/bin/apr-config
>>> configure: using ' -lrt -lm -lcrypt -lnsl -ldl' for apr Library
>>> checking for libapr-util config script... /opt/IBMIHS/bin/apu-config
>>> configure: using ' -L/opt/IBMIHS/lib -laprutil-0' for apu Library
>>> checking for libxml2 config script... /usr/bin/xml2-config
>>> configure: using '-L/usr/lib -lxml2 -lz -lm' for libxml Library
>>> checking for pkg-config script for lua library... no
>>> configure: optional lua library not found
>>> checking for libcurl config script... /usr/bin/curl-config
>>> configure: using '-L/usr/kerberos/lib -lcurl -ldl -lgssapi_krb5 -lkrb5
>>> -lk5crypto -lcom_err -lidn -lssl -lcrypto -lz ' for curl Library
>>> configure: creating ./config.status
>>>
>>> 3. run make test to verify and see errors here;
>>>
>>
>>
>> You forgot to run "make" first.
>>
>>
>>
>>> gcc re.o re_operators.o re_actions.o re_tfns.o re_variables.o
>>> msc_logging.o msc_xml.o msc_multipart.o modsecurity.o msc_parsers.o
>>> msc_util.o msc_pcre.o persist_dbm.o msc_reqbody.o msc_geo.o acmp.o
>>> msc_lua.o msc_release.o -o msc_test msc_test.o -lpcre -L/usr/lib -lxml2
>>> -lz -lm -L/opt/IBMIHS/lib /opt/IBMIHS/lib/libapr-0.so
>>> /opt/IBMIHS/lib/libaprutil-0.so -Wl,--rpath -Wl,/opt/IBMIHS/lib
>>> -Wl,--rpath -Wl,/opt/IBMIHS/lib
>>> gcc: re.o: No such file or directory
>>> gcc: re_operators.o: No such file or directory
>>> gcc: re_actions.o: No such file or directory
>>> gcc: re_tfns.o: No such file or directory
>>> gcc: re_variables.o: No such file or directory
>>> gcc: msc_logging.o: No such file or directory
>>> gcc: msc_xml.o: No such file or directory
>>>
>>
>> -B
>>
>> --
>> Brian Rectanus
>> Breach Security
>>
>
>